SB2023120410 - Multiple vulnerabilities in Traefik

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2023-47633)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing traffic for Docker containers. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

2) Improper Authorization (CVE-ID: CVE-2023-47106)

The vulnerability allows a remote attacker to bypass authorization.

The vulnerability exists due to the way Traefik handles requests with URL fragments. A remote attacker can use a specially crafted URL to bypass URI-based access control restrictions, when combined with another frontend proxy like Nginx.

3) Improper Resource Locking (CVE-ID: CVE-2023-47124)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to the way the application handles ACME HTTP challenge. If Traefik is configured to use the HTTPChallenge to generate and renew the Let's Encrypt TLS certificates, the delay authorized to solve the challenge of 50 seconds can be exploited by perform a slowloris attack.

Remediation

Install update from vendor's website.

References

• https://github.com/traefik/traefik/security/advisories/GHSA-6fwg-jrfw-ff7p
• https://github.com/traefik/traefik/security/advisories/GHSA-fvhj-4qfh-q2hm
• https://github.com/traefik/traefik/security/advisories/GHSA-8g85-whqh-cr2f